Feeds

back to article Gaping hole in Google service exposes thousands to ID theft

A security flaw accessible via Google's UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft. The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details - including names, addresses, phone numbers and …

COMMENTS

This topic is closed for new posts.
Rob
Bronze badge

Blimey...

... your premium was about 4k, what car were you insuring and did you have previous convictions for hit and run whilst drunk, driving with your knees, keeping your hands free to smoke crack.

0
0
Bronze badge

Re: Blimey...

£4k isn't a lot.

I've been quoted nearly £2.5k in the past (obviously didn't touch it with a bargepole) to insure a £300 Mondeo with 3 years NCB third-party only, for a 30-something with kid, clean license, 20k miles.

Remember, it's a quote. That means they tell you what they want you to pay and then you decide whether to pay or not. In this case, not, but I'm sure there are people out there being quoted at least £4k quite regularly and even some people PAYING that.

God knows what it costs to insure one of those Porsche 4x4 monstrosities for a mother with a few fender-benders to her name, but I bet it's more than £4k.

0
0
Anonymous Coward

Re: Blimey...

My insurence is 1.7k after getting it down from 4.5 by fiddling around with my address. (It's not registered at my grandmothers house)

I've not had an accident and doing a quote on here it's gone back up to 4k...

0
0
jrd

Re: Blimey...

Jeremy Clarkson was apparently quoted over £20,000 to insure a Ford Escort (a fast one), and that was over 20 years ago. Expensive car insurance isn't only a modern phenomenon!

(And I think that was before he was famous, so I don't think they pushed the quote up because it was him...)

0
0
Gold badge
Happy

Re: Blimey...

That's why Ford phased out the Cosworth.

It was well known that for many, the annual insurance premium exceeded the cost of the car.

A collegue told me of a wealthy friend with more money than sense, who bought one as a 21st birthday present for his son. Purchase price was twenty-something grand, cost of insuring it for said son was twenty-something-rather-larger grand. It sat on the drive while this conundrum was pondered.

During said pondering and while it was sat, uninsured, on said drive it was stolen, thus neatly illustrating one of the reasons why the insurance on them was so pricey.

6
0
Rob
Bronze badge

Re: Blimey...

... and again Blimey!

I get cheesed off when I get a quote back for more than £300 fully comp.

1
0
Thumb Up

Re: Blimey...

"Occupation: Journalist"

Cha-ching!

1
0

Re: Blimey...

Blimeyyy..

I pay £800 at 23 years old insured on a 3.0 litre BMW with only 1 year no claims.

0
0
Bronze badge
Facepalm

Re: Blimey...

Location has a lot to do with it. My insurance on a1.4l Peugeot 206 is over £400, even with seven years no claims, presumably because I'm parking it on the street in the middle of Bristol.

To be fair, it has been broken into several times (I never claimed, they only nicked the stereo), so perhaps they have their reasons.

0
0
Anonymous Coward

Nice and you would hope Google were better than this.

1
0
Bronze badge

nice job, El Reg

One thing missing. I understand the number of people whose details might have been stolen is very high. Google should now go through the logs to discover actual people whose details have been stolen. Yes it will likely cost significant time and resources but it is exactly what ICO needs to know , as well as people affected.

Google does not seem to care about responsibility coming with collection of personal data - it is ICO role to teach them. If they do not store the logs to fulfill its resposibillity in data protection, the service simply should not have been offered.

4
0
Anonymous Coward

Re: nice job, El Reg

Google does not seem to care about responsibility coming with collection of personal data

It never has - that has been the problem from day 1. But try telling that to the believers of "do no harm" ..

3
2
Bronze badge

Re: nice job, El Reg

yes, the question is: will ICO do something about it? I hope the mandate they have is clear, but are they determined enough to enforce it?

1
0
Anonymous Coward

Re: nice job, El Reg

Yes, they will immediately write them a stern letter telling them they must do better.

3
0
Anonymous Coward

Google makes shit products Shocker

Fixed that headline for you.

2
4
Anonymous Coward

Re: Google makes shit products Shocker

Did you stop reading before the bit about the flaw being with the third party software provider SSP?

6
0

Re: Google makes shit products Shocker

Of he didn't, but then that what the headline was design to do. If it was a honest headline, it would have been more Gaping hole found in SSP software use by Google Compare, Go compare and many others ;

But then that not an attention grabbing, Google hating crowd pleaser is it, to be fair a even better more accurate description be "Gaping hole found in SSP software us by price comparison websites" but that even less attention grabbing than the first one I wrote.

2
1
Anonymous Coward

Re: Google makes shit products Shocker

Probing new depths here. Not just incapability of using the past tense.

* THAT'S

* DESIGNED

* AN honest headline

* USED BY

* AN even better...

"wrote" is a bit of a strong word to describe what you have done there.

How do you possibly manage the advanced techniques involved in switching on a computer?

0
0
Anonymous Coward

What a shame Tavis Ormandy didn't spend some more time looking into vulnerabilities in his own company's products.

Well done to The Register for their seemingly responsible disclosure.

2
1
Bronze badge

Bounty?

Doesn't Google give bounty for people finding holes in their systems?

Anyone at El Reg looking into that

-no bounty hunter logo?

0
0

Re: Bounty?

I suspect Go Compare offered the anonymous source who discover the hack enough money to keep it quiet and keep it hidden from Google, why Go compare they get a chance to fix their systems before the hacker or someone else go public with story via the Register. That way Google compare and Google as a whole comes away with its reputation damage, Go Compare comes away smelling of roses.

Perhaps Register could confirm whether this anonymous source has any prior dealings with Go Compare and or other price comparison sites and SSP and confirm whether or not he sold the flaw to them and for how much. If this information is not forth coming then do some investigating and find out why it is not forth coming.

0
1
(Written by Reg staff)

Re: Bounty?

As Google is insisting that the hole is in somebody else's system, I do believe I'd have to go legal in order to get any money out of them.

1
0

This post has been deleted by its author

(Written by Reg staff)

Re: Bounty?

Seems to me if you're running a system you have some responsibility to audit what happens to the data entered into it, including after it's left your system. If Go Compare wasn't vulnerable to this flaw, then just maybe it was because Go Compare's techies were doing their job, right?

0
0
Anonymous Coward

@ David 164

You sir are a complete and utter retard. I must insist that you throw away your keyboard so it does not have to suffer any longer. It is not fair to subject it to this kind of abuse, it wouldn't be so bad if you could actually write a single coherent English sentence.

I suspect that you are not actually severely mentally disabled but in fact just deliberately and wantonly ignorant which is in fact worse.

1
1

Re: @ David 164

At least, I am not a anonymous coward.

1
1
Anonymous Coward

Re: @ David 164

Which surprises me... If my writing was that bad I wouldn't want even a pseudonym associated with it!

0
0
Anonymous Coward

It's never Google's fault

Don't we know the party line already? It's always a "contractor", "rogue engineer", "consultant in India"...

Google is nothing but fucking perfect and makes no shit whatsoever. Actually, it does make shit but it's delicious, low in fat and you only need to watch Grannydating ads to have it.

0
3

This post has been deleted by its author

Silver badge
FAIL

Re: It's never Google's fault

Its only Thursday but we already have a sure fire winner for shit post of the week. Congratulations.

0
0

Not just insurance

My employer offered a local discount card through their online store system, and I bought one. The final stage said "you have now been logged out; to view your receipt, go to http://store.example.ac.uk/receipt?id=123". Wait ... if I was logged out, how could that URL authenticate me?

Sure enough, changing the 123 yielded the details of other customers: what they bought, how they paid, delivery address etc. Whoops. I contacted the internal person in charge, who said "oops ... that's hosted by an outside contractor, we will go and shout at them now". To be fair, they did get it fixed when I pointed it out, but it's alarming a fault that obvious existed in the first place!

1
0
This topic is closed for new posts.